Client-Side Defense Against Web-Based Identity Theft

Total Page:16

File Type:pdf, Size:1020Kb

Client-Side Defense Against Web-Based Identity Theft Client-side defense against web-based identity theft Neil Chou Robert Ledesma Yuka Teraguchi Dan Boneh John C. Mitchell Computer Science Department, Stanford University, Stanford CA 94305 {neilchou, led242, yukat, dabo, jcm}@stanford.edu Abstract experiment with this approach using a browser plug-in called SpoofGuard. The plug-in monitors a user’s In- ternet activity, computes a spoof index, and warns the Web spoofing is a significant problem involving fraud- user if the index exceeds a level selected by the user. ulent email and web sites that trick unsuspecting users While Internet-savvy users who watch the address bar, into revealing private information. We discuss some status bar, and other information carefully may not need aspects of common attacks and propose a framework SpoofGuard, the current level of accuracy and effec- for client-side defense: a browser plug-in that exam- tiveness may be sufficient to help many unsophisticated ines web pages and warns the user when requests for web users. If the methods we propose become widely data may be part of a spoof attack. While the plug- deployed, through our plug-in or through other client- in, SpoofGuard, has been tested using actual sites ob- side defensive software, then phishers will certainly take tained through government agencies concerned about steps to circumvent them. However, we expect further the problem, we expect that web spoofing and other effort and study to produce correspondingly better de- forms of identity theft will be continuing problems in fenses. Moreover, if synergistic server-side methods are coming years. deployed by concerned companies, it seems possible to thwart increasingly sophisticated attacks. SpoofGuard uses domain name, url, link, and 1 Introduction image checks to evaluate the likelihood that a given page is part of a spoof attack. For ex- Web spoofing, also known as “phishing” or “carding” ample, a page with a suspicious url such as [CNN03, FBI03], is a significant form of Internet crime etrade-maintenance.suspicious.org that is launched against hundreds or thousands of indi- or [email protected]/ viduals each day. The US Secret Service and the San maintainance.asp and an E*Trade logo will have Francisco Electronic Crimes Task Force report that ap- a higher spoof index than a page with neither of these proximately 30 attack sites are detected each day. Each characteristics. SpoofGuard also uses history, such as attack site may be used to defraud hundreds or thousands whether the user has visited this domain before and of victims, and it is likely that many attack sites are whether the referring page was from an email site never detected. A typical web spoof attack begins with such as Hotmail or Yahoo!Mail. Most importantly, bulk email to a group of unsuspecting victims. Each is SpoofGuard intercepts and evaluates user posts in told that there is a problem with their account at a site light of relevant history and the spoof index of a form such as E*Trade. Victims of the spoofing attack then fol- page. SpoofGuard examines post data user name and low a link in the email message to connect to a spoofed password fields and compares posted data to previ- E*Trade site. Once a victim enters his or her user name ously entered passwords from different domains. This and password on the spoof site, the criminal has the mechanism warns a user against sending her E*Trade means to impersonate the victim, potentially withdraw- password to a site with an E*Trade logo but outside ing money from the victim’s account or causing harm in the etrade.com domain, for example. Password other ways. comparisons are done using a cryptographically secure We describe some common characteristics of recent hash, so that plaintext passwords are never stored by web spoofing attacks and propose a framework for SpoofGuard. client-side countermeasures. Like other inexact detec- Stopping web spoofing bears some similarity to intru- tion mechanisms, including virus detection and email sion detection, spam filtering, and thwarting traditional spam filtering, the approach we explore involves look- social engineering attacks. Intrusion detection systems ing for characteristics of previously detected attacks. We [Pax99, Sno03] typically monitor network and host ac- 1 tivity, compute statistical or other indices, and attempt tegrity of browser indicators such as the url indicator in to detect intrusions by comparing the index of current the status bar, not analyzing user behavior, web pages, activity against previous statistics. While web spoofing and html post data to stop leakage of sensitive user in- may be regarded as a special case of intrusion detection, formation. While we considered using an alternate term the browser seems like that appropriate place to combat such as “phishing” in this paper, we use “web spoofing” web spoofing. A browser plug-in is relatively easy to in- since this currently appears to be the term most com- stall and has access to honest and spoof pages sent over monly used by law enforcement and concerned compa- https, giving SpoofGuard a better chance of catching an nies. attack than a network proxy or other external http traffic The goals of this paper are to raise awareness of the monitors. While a plug-in alone does not have full infor- web spoofing problem and propose a framework for mation from email programs such as Outlook or Eudora client-side protection. While sophisticated and deter- that may contain the messages that launch an attack, the mined attackers will be able to circumvent our current browser does provide an indication of the referring page tests (through simple techniques we explain later in the or application, and it is possible to scan and parse pages paper), there is plenty of room for improving specific from email sites such as Hotmail or Yahoo!Mail. There- tests and tuning the coefficients of our spoof index func- fore, for non-expert users who read email through their tion. Furthermore, the web spoofing problem is impor- browser, SpoofGuard has the potential to examine every tant and we believe our SpoofGuard experience will be step of a standard web spoof attack. useful for developing more sophisticated defenses. We Like other intrusion detection efforts, it is appropriate discuss the web spoofing problem in more detail in Sec- to evaluate SpoofGuard by measuring its effective at pre- tion 2, and our solutions in Section 3. The SpoofGuard venting attacks, the false alarm rate (number of unnec- implementation and user interface are described in Sec- essary warnings), and its performance impact. Spoof- tion 4. Some SpoofGuard evaluation information ap- Guard will only be useful if it detects attacks without pears in Section 5, followed by suggestions for server- raising too many false alarms, since users will almost side methods in Section 6, some more speculative client- certainly reject any method that interferes with normal side methods in Section 7, and concluding remarks in browsing activity. We have evaluated the false-alarm Section 8. rate by using SpoofGuard ourselves over a period of Throughout the paper we use the following terminol- time, and we have evaluated its effectiveness for pre- ogy. venting attacks using actual spoof sites brought to our • Spoof site or Spoof page: the site or page that is a attention by members of the San Francisco Electronic malicious copy of some legitimate web page. Crimes Task Force. While this is not an extensive • Attacker: the person or organization who sets up enough test to draw broader conclusions, SpoofGuard the spoof site. does catch the sample attacks found in the wild and does • Honest site or honest page: the legitimate site or not add any noticeable delay to ordinary web browsing. page that is being spoofed. Since web spoofing attacks begin with bulk email, a • Spoof index: a measure of the likelihood that a spe- good general spam solution [Bri03, Din03] could reduce cific page is part of a spoof attack, described in Sec- the incidence of web spoofing attacks. However, current tion 3. spam solutions are only partly effective at blocking un- wanted email, and we are not aware of any spam efforts A prototype version of SpoofGuard will be made pub- aimed specifically at identify theft. While the browser- licly available shortly. based techniques we explore in this paper are comple- mentary and independent of spam filtering, there may be 2 Theproblem additional ways of combining email scanning with web According to Agents of the U.S. Secret Service San page analysis that will lead to better spoof prevention in Francisco Electronic Crimes Task Force [Von03], the the future. U.S. Government’s Internet Fraud Complaint Center re- Previous efforts by the Princeton Secure Internet Pro- ceived over 75,000 complaints in 2002. Of this number, gramming group and others [FBDW97, EY01] have ad- 48,000 cases resulted in further action requests. This is dressed another form of “web spoofing” in which an a three-fold increase over 2001. The total dollar losses attacker causes all html page requests from a victim are estimated at more than $54 million compared to $17 to pass through the attacker’s site. This form of web million for 2001. A majority of these fraud complaints spoofing allows the attacker to monitor all of the vic- are intrusions, auction fraud, credit card/debit fraud, and tim’s activities, including posted passwords or account computer intrusion. Agents of the U.S. Secret Service numbers. However, previous methods for countering San Francisco Electronic Crimes Task Force report that this form of attack have focused on maintaining the in- web spoofing was first noticed in late 2001 and grew in 2 popularity in 2002, correlating with the large increase in gan Stanley’s Discover unit, eBay Inc.
Recommended publications
  • How to Analyze the Cyber Threat from Drones
    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
    [Show full text]
  • An Email Application with Active Spoof Monitoring and Control
    2016 International Conference on Computer Communication and Informatics (ICCCI -2016), Jan. 07 – 09, 2016, Coimbatore, INDIA An Email Application with Active Spoof Monitoring and Control T.P. Fowdur, Member IEEE and L.Veerasoo [email protected] [email protected] Department of Electrical and Electronic Engineering University of Mauritius Mauritius Abstract- Spoofing is a serious security issue for email overview of some recent anti-spoofing mechanisms is now applications. Although several anti-email spoofing techniques presented have been developed, most of them do not provide users with sufficient control and information on spoof attacks. In this paper In [11], the authors proposed an anti-spoofing scheme for IP a web-based client oriented anti-spoofing email application is packets which provides an extended inter-domain packet filter proposed which actively detects, monitors and controls email architecture along with an algorithm for filter placement. A spoofing attacks. When the application detects a spoofed security key is first placed in the identification field of the IP message, it triggers an alert message and sends the spoofed header and a border router checks the key on the source message into a spoof filter. Moreover, the user who has received packet. If this key corresponds to the key of the target packet, the spoofed message is given the option of notifying the real sender of the spoofing attack. In this way an active spoof control the packet is considered valid, else it is flagged as a spoofed is achieved. The application is hosted using the HTTPS protocol packet. A Packet Resonance Strategy (PRS) which detects and uses notification messages that are sent in parallel with email different types of spoofing attacks that use up the resources of messages via a channel that has been secured by the Secure the server or commit data theft at a datacenter was proposed in Socket Layer (SSL) protocol.
    [Show full text]
  • GNSS Spoofing
    COMPANY CONFIDENTIAL NLR-CR-2019-001-PT-1-RevEd-1 | June 2019 GNSS spoofing Revised Edition CUSTOMER: Agentschap Telecom NLR – Netherlands Aerospace Centre Netherlands Aerospace Centre NLR is a leading international research centre for aerospace. Bolstered by its multidisciplinary expertise and unrivalled research facilities, NLR provides innovative and integral solutions for the complex challenges in the aerospace sector. NLR's activities span the full spectrum of Research Development Test & Evaluation (RDT & E). Given NLR's specialist knowledge and facilities, companies turn to NLR for validation, verification, qualification, simulation and evaluation. NLR thereby bridges the gap between research and practical applications, while working for both government and industry at home and abroad. NLR stands for practical and innovative solutions, technical expertise and a long-term design vision. This allows NLR's cutting edge technology to find its way into successful aerospace programs of OEMs, including Airbus, Embraer and Pilatus. NLR contributes to (military) programs, such as ESA's IXV re-entry vehicle, the F-35, the Apache helicopter, and European programs, including SESAR and Clean Sky 2. Founded in 1919, and employing some 600 people, NLR achieved a turnover of 76 million euros in 2017, of which 81% derived from contract research, and the remaining from government funds. For more information visit: www.nlr.nl COMPANY CONFIDENTIAL NLR-CR-2019-001-PT-1-RevEd-1 | June 2019 GNSS spoofing Revised Edition CUSTOMER: Agentschap Telecom AUTHOR(S): J.J.P. van Es NLR J.D. van Bruggen-van Putten NLR H.D. Zelle NLR NLR - Netherlands Aerospace Centre June 2019 | NLR-CR-2019-001-PT-1-RevEd-1 COMPANY CONFIDENTIAL No part of this report may be reproduced and/or disclosed, in any form or by any means without the prior written permission of the owner.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Clickjacking: Attacks and Defenses
    Clickjacking: Attacks and Defenses Lin-Shung Huang Alex Moshchuk Helen J. Wang Carnegie Mellon University Microsoft Research Microsoft Research [email protected] [email protected] [email protected] Stuart Schechter Collin Jackson Microsoft Research Carnegie Mellon University [email protected] [email protected] Abstract such as a “claim your free iPad” button. Hence, when Clickjacking attacks are an emerging threat on the web. the user “claims” a free iPad, a story appears in the user’s In this paper, we design new clickjacking attack variants Facebook friends’ news feed stating that she “likes” the using existing techniques and demonstrate that existing attacker web site. For ease of exposition, our description clickjacking defenses are insufficient. Our attacks show will be in the context of web browsers. Nevertheless, the that clickjacking can cause severe damages, including concepts and techniques described are generally applica- compromising a user’s private webcam, email or other ble to all client operating systems where display is shared private data, and web surfing anonymity. by mutually distrusting principals. We observe the root cause of clickjacking is that an Several clickjacking defenses have been proposed and attacker application presents a sensitive UI element of a deployed for web browsers, but all have shortcomings. target application out of context to a user (such as hiding Today’s most widely deployed defenses rely on frame- the sensitive UI by making it transparent), and hence the busting [21, 37], which disallows a sensitive page from user is tricked to act out of context. To address this root being framed (i.e., embedded within another web page).
    [Show full text]
  • Cases of IP Address Spoofing and Web Spoofing —
    3-3 StudiesonCountermeasuresforThwarting SpoofingAttacks—CasesofIPAddress SpoofingandWebSpoofing— MIYAMOTO Daisuke, HAZEYAMA Hiroaki, and KADOBAYASHI Youki This article intends to give case studies for of thwarting spoofing attack. Spoofing is widely used when attackers attempt to increase the success rate of their cybercrimes. In the context of Denial of Service (DoS) attacks, IP address spoofing is employed to camouflage the attackers’ location. In the context of social engineering, Web spoofing is used to persuade victims into giv- ing away personal information. A Web spoofing attacker creates a convincing but false copy of the legitimate enterprises’ web sites. The forged websites are also known as phishing sites. Our research group developed the algorithms, systems, and practices, all of which analyze cybercrimes that employ spoofing techniques. In order to thwart DoS attacks, we show the deployment scenario for IP traceback systems. IP traceback aims to locate attack source, regardless of the spoofed source IP addresses. Unfortunately, IP traceback requires that its sys- tems are widely deployed across the Internet. We argue the practical deployment scenario within Internets of China, Japan, and South Korea. We also develop a detection method for phishing sites. Currently, one of the most important research agenda to counter phishing is improving the accuracy for detecting phishing sites. Our approach, named HumanBoost, aims at improving the detection accuracy by utilizing Web users’ past trust decisions. Based on our subject experiments, we analyze the average detection accuracy of both HumanBoost and CANTINA. Keywords IP spoofing, Web spoofing, Internet emulation, IP traceback, Machine learning 1 Introduction measures. IP traceback aims to locate attack sources, regardless of the spoofed source IP DoS attacks exhaust the resources of addresses.
    [Show full text]
  • On the Security of Single Sign-On
    On the Security of Single Sign-On Vladislav Mladenov (Place of birth: Pleven/Bulgaria) [email protected] 30th June 2017 Ruhr-University Bochum Horst G¨ortz Institute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum First Supervisor: Prof. Dr. rer. nat. J¨org Schwenk Second Supervisor: Prof. Dr.-Ing. Felix Freiling www.nds.rub.de Abstract Single Sign-On (SSO) is a concept of delegated authentication, where an End- User authenticates only once at a central entity called Identity Provider (IdP) and afterwards logs in at multiple Service Providers (SPs) without reauthenti- cation. For this purpose, the IdP issues an authentication token, which is sent to the SP and must be verified. There exist different SSO protocols, which are implemented as open source libraries or integrated in commercial products. Google, Facebook, Microsoft and PayPal belong to the most popular SSO IdPs. This thesis provides a comprehensive security evaluation of the most popular and widely deployed SSO protocols: OpenID Connect, OpenID, and SAML. A starting point for this research is the development of a new concept called malicious IdP, where a maliciously acting IdP is used to attack SSO. Generic attack classes are developed and categorized according to the requirements, goals, and impact. These attack classes are adapted to different SSO proto- cols, which lead to the discovery of security critical vulnerabilities in Software- as-a-Service Cloud Providers, eCommerce products, web-based news portals, Content-Management systems, and open source implementations.
    [Show full text]
  • DNS and the DNS Cache Poisoning Attack
    Lecture 17: DNS and the DNS Cache Poisoning Attack Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) June 25, 2021 3:21pm ©2021 Avinash Kak, Purdue University Goals: The Domain Name System BIND Configuring BIND Running BIND on your Ubuntu laptop Light-Weight Nameservers (and how to install them) DNS Cache Poisoning Attack Writing Perl and Python code for cache poisoning attacks Dan Kaminsky’s More Virulent DNS Cache Poisoning Attack CONTENTS Section Title Page 17.1 Internet, Harry Potter, and the Magic of DNS 3 17.2 DNS 5 17.3 An Example That Illustrates Extensive DNS 13 Lookups in Even the Simplest Client-Server Interactions 17.4 The Domain Name System and The dig Utility 28 17.5 host, nslookup, and whois Utilities for Name 42 Lookup 17.6 Creating a New Zone and Zone Transfers 45 17.7 DNS Cache 48 17.7.1 The TTL Time Interval 51 17.8 BIND 56 17.8.1 Configuring BIND 58 17.8.2 An Example of the named.conf Configuration File 64 17.8.3 Running BIND on Your Ubuntu Laptop 68 17.9 What Does it Mean to Run a Process in a 70 chroot Jail? 17.10 Phishing versus Pharming 73 17.11 DNS Cache Poisoning 74 17.12 Writing Perl and Python Code for Mounting a 81 DNS Cache Poisoning Attack 17.13 Dan Kaminsky’s More Virulent Exploit for 92 DNS Cache Poisoning 17.14 Homework Problems 99 Computer and Network Security by Avi Kak Lecture 17 Back to TOC 17.1 INTERNET, HARRY POTTER, AND THE MAGIC OF DNS If you have read Harry Potter, you are certainly familiar with the use of owl mail by the wizards and the witches.
    [Show full text]
  • 2013  2013 5Th International Conference on Cyber Conflict
    2013 2013 5th International Conference on Cyber Conflict PROCEEDINGS K. Podins, J. Stinissen, M. Maybaum (Eds.) 4-7 JUNE 2013, TALLINN, ESTONIA 2013 5TH INTERNATIONAL CONFERENCE ON CYBER CONFLICT (CYCON 2013) Copyright © 2013 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1326N-PRT ISBN 13 (print): 978-9949-9211-4-0 ISBN 13 (pdf): 978-9949-9211-5-7 ISBN 13 (epub): 978-9949-9211-6-4 Copyright and Reprint Permissions No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non-profit or non- commercial purposes, providing that copies bear this notice and a full citation on the first page as follows: [Article author(s)], [full article title] 2013 5th International Conference on Cyber Conflict K. Podins, J. Stinissen, M. Maybaum (Eds.) 2013 © NATO CCD COE Publications Printed copies of this publication are available from: NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org Layout: Marko Söönurm Legal Notice: This publication contains opinions of the respective authors only. They do not necessarily reflect the policy or the opinion of NATO CCD COE, NATO, or any agency or any government.
    [Show full text]
  • Network Disruption by Spoofing Service Attacks
    Rochester Institute of Technology RIT Scholar Works Theses 2004 Network Disruption by Spoofing Service Attacks Yadasiri Lertlit Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Lertlit, Yadasiri, "Network Disruption by Spoofing Service Attacks" (2004). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Rochester Institute of Technology Department of Information Technology Master of Science in Information Technology Thesis Network Disruption by Spoofing Service Attacks by Yadasiri Lertlit Committee Chair Prof. Pete Lutz Committee Members Prof. Jim Leone Prof. Charlie Border Thesis Reproduction Permission Form Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences Master of Science in Information Technology Network Disruption by Spoofing Service Attacks I, Yadasiri Lertlit, hereby grant permission to the Wallace Library of the Rochester Institute of Technology to reproduce my thesis in whole or in part. Any reproduction must not be for commercial use or profit. Signature of Author: __________ Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences Master of Science in Information Technology Thesis Approval Form Student Name: Yadasiri Lertlit Project Title: Network Disruption by Spoofing Service Attacks Thesis Committee Name Signature Date Peter H. Lutz, Ph.D Chair Jim Leone, Ph.D Committee Member Charlie Border, Ph.D Committee Member Abstract It is clearly evident as the Internet continues to grow that it has become a prominent and dependable source for information, and tool for business-use.
    [Show full text]
  • A Practical GPS Location Spoofing Attack in Road Navigation Scenario
    A Practical GPS Location Spoofing Attack in Road Navigation Scenario Kexiong (Curtis) Zeng 1, Yuanchao Shu 2, Shinan Liu 3, Yanzhi Dou 1, Yaling Yang 1 1Virginia Tech; 2Microsoft Research; 3University of Electronic Science and Technology of China 1{kexiong6, yzdou, yyang8}@vt.edu; [email protected]; [email protected]; ABSTRACT Missouri armed robbers trapped unwitting Pokemon Go players at High value of GPS location information and easy availability isolated locations on their way navigated to Pokestops. Besides of portable GPS signal spoofing devices incentivize attackers to life-threatening issues, GPS spoofing attacks can also cause havoc launch GPS spoofing attacks against location-based applications. to other location-based applications. For taxi-hailing applications, In this paper, we propose an attack model in road navigation adversaries can cause chaos to job dispatch systems and manipulate scenario, and develop a complete framework to analyze, simulate drivers’ taximeter by manipulating GPS locations of the targeted and evaluate the spoofing attacks under practical constraints. To in-vehicle mobile devices. For crowdsourcing services, attackers launch an attack, the framework first constructs a road network, can spoil the system by creating fake real-time events (e.g., traffic and then searches for an attack route that smoothly diverts a victim congestions) in the same way. Launching GPS spoofing attacks on civilian GPS signals without without his awareness. In extensive data-driven simulations in 1 College Point, New York City, we managed to navigate a victim cryptographic authentication mechanisms is not hard . Due to locations 1km away from his original destination. to the ubiquitousness of unencrypted GPS signals, GPS-based navigation systems are inherently vulnerable to signal spoofing attacks.
    [Show full text]
  • Hacker 6-22-2020 Four Credential Scamming “Paypal” Emails Reported
    Hacker 6-22-2020 Four Credential Scamming “PayPal” Emails Reported: Two Wyoming citizens reported four credential scamming emails claiming to be from PayPal asking you to log-in and confirm information about your PayPal account. None of the links actually forwarded to PayPal. The first one had a subject line of Reminder: [Action Required] Someone just signed in using your account to make an unexpected payment. - Identity Ticket: [#90144094]. The sender was from "serviс[email protected]ρaI.сom" [email protected]. This email claims that your access has been limited and asks you to verify your PayPal information but the link is not to PayPal and instead is to http://trk.klclick3.com/// with a long string of letters. The second email’s subject line was Reminder : [Daily Report Alert] Statement update login with Google Chrome From Guinea on 19 June, 2020. The email stated that “You are in violation of PayPal’s Acceptable Use Policy,” was from the email address of "[email protected]" [email protected]. The third email’s subject line was Your account has been suspended (Ref - 09189042696) and the sender’s email address was [email protected] <m6utz07crsj2fo9- [email protected] and it claimed to find suspicious activity on your credit card and you should log-in to confirm. The final email’s subject line was [New access detected] [Statements Update] [Daily Report] Statement Update New Login: Monday, June 15, 2020 from "[email protected]" [email protected] and it also claimed that you were in violation of PayPal’s Acceptable Use Policy.
    [Show full text]